首页
学习
活动
专区
工具
TVP
发布
社区首页 >专栏 >《coredump问题原理探究》Linux x86版4.2节函数的逆向之顺序结构

《coredump问题原理探究》Linux x86版4.2节函数的逆向之顺序结构

作者头像
血狼debugeeker
发布2018-09-20 14:26:18
3230
发布2018-09-20 14:26:18
举报
文章被收录于专栏:debugeeker的专栏debugeeker的专栏

版权声明:本文为博主原创文章,未经博主允许不得转载。 https://cloud.tencent.com/developer/article/1344435

先看一下例子:

#include <stdio.h>

int main()
{
     int a = 0, b = 0, c = 0, d = 0;
     scanf( "%d,%d", &a,&b );
     a += b;
     scanf( "%d", &c );
     a += c;
     scanf( "%d", &d );
     a += d;
 
     return a;
}

看一下main函数的汇编:

(gdb) disassemble main
Dump of assembler code for function main:
   0x08048570 <+0>:     push   %ebp
   0x08048571 <+1>:     mov    %esp,%ebp
   0x08048573 <+3>:     and    $0xfffffff0,%esp
   0x08048576 <+6>:     sub    $0x20,%esp
   0x08048579 <+9>:     movl   $0x0,0x1c(%esp)
   0x08048581 <+17>:    movl   $0x0,0x18(%esp)
   0x08048589 <+25>:    movl   $0x0,0x14(%esp)
   0x08048591 <+33>:    movl   $0x0,0x10(%esp)
   0x08048599 <+41>:    lea    0x18(%esp),%eax
   0x0804859d <+45>:    mov    %eax,0x8(%esp)
   0x080485a1 <+49>:    lea    0x1c(%esp),%eax
   0x080485a5 <+53>:    mov    %eax,0x4(%esp)
   0x080485a9 <+57>:    movl   $0x80486b4,(%esp)
   0x080485b0 <+64>:    call   0x8048440 <scanf@plt>
   0x080485b5 <+69>:    mov    0x1c(%esp),%edx
   0x080485b9 <+73>:    mov    0x18(%esp),%eax
   0x080485bd <+77>:    add    %edx,%eax
   0x080485bf <+79>:    mov    %eax,0x1c(%esp)
   0x080485c3 <+83>:    lea    0x14(%esp),%eax
   0x080485c7 <+87>:    mov    %eax,0x4(%esp)
   0x080485cb <+91>:    movl   $0x80486ba,(%esp)
   0x080485d2 <+98>:    call   0x8048440 <scanf@plt>
   0x080485d7 <+103>:   mov    0x1c(%esp),%edx
   0x080485db <+107>:   mov    0x14(%esp),%eax
   0x080485df <+111>:   add    %edx,%eax
   0x080485e1 <+113>:   mov    %eax,0x1c(%esp)
   0x080485e5 <+117>:   lea    0x10(%esp),%eax
   0x080485e9 <+121>:   mov    %eax,0x4(%esp)
   0x080485ed <+125>:   movl   $0x80486ba,(%esp)
   0x080485f4 <+132>:   call   0x8048440 <scanf@plt>
   0x080485f9 <+137>:   mov    0x1c(%esp),%edx
   0x080485fd <+141>:   mov    0x10(%esp),%eax
   0x08048601 <+145>:   add    %edx,%eax
   0x08048603 <+147>:   mov    %eax,0x1c(%esp)
   0x08048607 <+151>:   mov    0x1c(%esp),%eax
   0x0804860b <+155>:   jmp    0x8048615 <main+165>
   0x0804860d <+157>:   mov    %eax,(%esp)
   0x08048610 <+160>:   call   0x8048460 <_Unwind_Resume@plt>
   0x08048615 <+165>:   leave  
   0x08048616 <+166>:   ret    
End of assembler dump.

区区十来行代码,就变成了非常多的汇编语句,非常令人害怕。实际上,不需要那么害怕。

先看一下call指令的地方,由于call指令是调用函数的,所以,用它可以大致定一下这样的范围。

先看一下三个call指令的地址:

   0x080485b0 <+64>:    call   0x8048440 <scanf@plt>
   0x080485d2 <+98>:    call   0x8048440 <scanf@plt>
   0x080485f4 <+132>:   call   0x8048440 <scanf@plt>

可以知道,

   0x08048570 <+0>:     push   %ebp
   0x08048571 <+1>:     mov    %esp,%ebp
   0x08048573 <+3>:     and    $0xfffffff0,%esp
   0x08048576 <+6>:     sub    $0x20,%esp
   0x08048579 <+9>:     movl   $0x0,0x1c(%esp)
   0x08048581 <+17>:    movl   $0x0,0x18(%esp)
   0x08048589 <+25>:    movl   $0x0,0x14(%esp)
   0x08048591 <+33>:    movl   $0x0,0x10(%esp)
   0x08048599 <+41>:    lea    0x18(%esp),%eax
   0x0804859d <+45>:    mov    %eax,0x8(%esp)
   0x080485a1 <+49>:    lea    0x1c(%esp),%eax
   0x080485a5 <+53>:    mov    %eax,0x4(%esp)
   0x080485a9 <+57>:    movl   $0x80486b4,(%esp)

这一段汇编的地址少于第一个call指令地址0x080485b0,所以,它们大概对应于代码:

int a = 0, b = 0, c = 0, d = 0;

   0x080485b5 <+69>:    mov    0x1c(%esp),%edx
   0x080485b9 <+73>:    mov    0x18(%esp),%eax
   0x080485bd <+77>:    add    %edx,%eax
   0x080485bf <+79>:    mov    %eax,0x1c(%esp)
   0x080485c3 <+83>:    lea    0x14(%esp),%eax
   0x080485c7 <+87>:    mov    %eax,0x4(%esp)
   0x080485cb <+91>:    movl   $0x80486ba,(%esp)

这一段汇编由于地址大于0x080485b0,小于0x080485d2,所以,它们大致对应于代码:

a += b;

   0x080485d7 <+103>:   mov    0x1c(%esp),%edx
   0x080485db <+107>:   mov    0x14(%esp),%eax
   0x080485df <+111>:   add    %edx,%eax
   0x080485e1 <+113>:   mov    %eax,0x1c(%esp)
   0x080485e5 <+117>:   lea    0x10(%esp),%eax
   0x080485e9 <+121>:   mov    %eax,0x4(%esp)
   0x080485ed <+125>:   movl   $0x80486ba,(%esp)

这一段汇编地址大于0x080485d2,小于0x080485f4,所以,它们大致对应于代码:

a += c;

   0x080485f9 <+137>:   mov    0x1c(%esp),%edx
   0x080485fd <+141>:   mov    0x10(%esp),%eax
   0x08048601 <+145>:   add    %edx,%eax
   0x08048603 <+147>:   mov    %eax,0x1c(%esp)
   0x08048607 <+151>:   mov    0x1c(%esp),%eax
   0x0804860b <+155>:   jmp    0x8048615 <main+165>
   0x0804860d <+157>:   mov    %eax,(%esp)
   0x08048610 <+160>:   call   0x8048460 <_Unwind_Resume@plt>
   0x08048615 <+165>:   leave  
   0x08048616 <+166>:   ret    

这一段汇编地址大于0x080485f4,所以,它们对应于代码:

a += d;

return a;

看,分析汇编,并不是那么让人恐怖。但上面由于有一些指令是编译器生成的,有一些是函数调用时把参数入栈的指令,所以,要筛选出这些指令,仅以第一段汇编为例(即第一个scanf调用前的汇编):

   0x08048570 <+0>:     push   %ebp
   0x08048571 <+1>:     mov    %esp,%ebp
   0x08048573 <+3>:     and    $0xfffffff0,%esp
   0x08048576 <+6>:     sub    $0x20,%esp
   0x08048579 <+9>:     movl   $0x0,0x1c(%esp)
   0x08048581 <+17>:    movl   $0x0,0x18(%esp)
   0x08048589 <+25>:    movl   $0x0,0x14(%esp)
   0x08048591 <+33>:    movl   $0x0,0x10(%esp)
   0x08048599 <+41>:    lea    0x18(%esp),%eax
   0x0804859d <+45>:    mov    %eax,0x8(%esp)
   0x080485a1 <+49>:    lea    0x1c(%esp),%eax
   0x080485a5 <+53>:    mov    %eax,0x4(%esp)
   0x080485a9 <+57>:    movl   $0x80486b4,(%esp)

由第三章可知,

   0x08048570 <+0>:     push   %ebp
   0x08048571 <+1>:     mov    %esp,%ebp

是属于函数开头的特征指令,所以,这是由编译器自动生成的。

   0x08048573 <+3>:     and    $0xfffffff0,%esp
   0x08048576 <+6>:     sub    $0x20,%esp

则是用来调整esp和分配局部变量空间的,也是编译器自动生成的。所以,第一段汇编只剩下

   0x08048579 <+9>:     movl   $0x0,0x1c(%esp)
   0x08048581 <+17>:    movl   $0x0,0x18(%esp)
   0x08048589 <+25>:    movl   $0x0,0x14(%esp)
   0x08048591 <+33>:    movl   $0x0,0x10(%esp)
   0x08048599 <+41>:    lea    0x18(%esp),%eax
   0x0804859d <+45>:    mov    %eax,0x8(%esp)
   0x080485a1 <+49>:    lea    0x1c(%esp),%eax
   0x080485a5 <+53>:    mov    %eax,0x4(%esp)
   0x080485a9 <+57>:    movl   $0x80486b4,(%esp)

是和

 int a = 0, b = 0, c = 0, d = 0;

对应。由于

scanf( "%d,%d", &a,&b );

是有三个参数,根据第三章内容,

   0x08048599 <+41>:    lea    0x18(%esp),%eax
   0x0804859d <+45>:    mov    %eax,0x8(%esp)
   0x080485a1 <+49>:    lea    0x1c(%esp),%eax
   0x080485a5 <+53>:    mov    %eax,0x4(%esp)
   0x080485a9 <+57>:    movl   $0x80486b4,(%esp)

刚好是把scanf的三个参数入栈的操作,可以通过运行时得到0x80486b4指向的内容:

gdb) tbreak *0x080485b0
Temporary breakpoint 1 at 0x80485b0
(gdb) r
Starting program: /home/buckxu/work/4/1/xuzhina_dump_c4_s1 

Temporary breakpoint 1, 0x080485b0 in main ()
(gdb) x /s 0x80486b4
0x80486b4 <__dso_handle+4>:      "%d,%d"

也就是说,只有

   0x08048579 <+9>:     movl   $0x0,0x1c(%esp)
   0x08048581 <+17>:    movl   $0x0,0x18(%esp)
   0x08048589 <+25>:    movl   $0x0,0x14(%esp)
   0x08048591 <+33>:    movl   $0x0,0x10(%esp)

才是和

int a = 0, b = 0, c = 0, d = 0;

对应的。

小结:

由于顺序结构的逆向非常考验汇编基础,但如果是有函数调用的话,先找call指令,根据call指令来划分范围,筛选出编译器自动生成的指令。

本文参与 腾讯云自媒体分享计划,分享自作者个人站点/博客。
原始发表:2013年02月01日,如有侵权请联系 cloudcommunity@tencent.com 删除

本文分享自 作者个人站点/博客 前往查看

如有侵权,请联系 cloudcommunity@tencent.com 删除。

本文参与 腾讯云自媒体分享计划  ,欢迎热爱写作的你一起参与!

评论
登录后参与评论
0 条评论
热度
最新
推荐阅读
领券
问题归档专栏文章快讯文章归档关键词归档开发者手册归档开发者手册 Section 归档